[Owasp-delhi] Rediff Vulnerability

Nitin Saxena nitins at cybermedia.co.in
Thu May 28 04:24:07 EDT 2009


Sure, at present i had escalated this to some of their senior management. If required we will collate our efforts as Delhi OWASPians to get this corrected.

If there are any more such escalations to be made in this or other context's do let me know, will make it a representation to designated authorities.


Regards
Nitin Saxena
  ----- Original Message ----- 
  From: Lakshmanan, Sriram 
  To: Nitin Saxena ; Nilesh Kumar (India) ; abhay.bhargav at sisa.co.in 
  Cc: owasp-delhi at lists.owasp.org 
  Sent: Thursday, May 28, 2009 1:50 PM
  Subject: RE: [Owasp-delhi] Rediff Vulnerability


  You are right Nitin. 
  Rediff, I'm told,  is actually perfoming an assessment of things they need to fix on all their web presence and also fixing them as they go along. If any of you have a report on other issues on that site, pass it along & I can forward it to someone who is corrdinating these XSS's to be fixed. Nitin, Abyaha and Nilesh are already marked on my previous communication to that person.

  Cheers/Sri



------------------------------------------------------------------------------
  From: owasp-delhi-bounces at lists.owasp.org [mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of Nitin Saxena
  Sent: Thursday, May 28, 2009 12:47 PM
  To: Nilesh Kumar (India); abhay.bhargav at sisa.co.in
  Cc: owasp-delhi at lists.owasp.org
  Subject: Re: [Owasp-delhi] Rediff Vulnerability


  They may have started rectifying the vulnerabilities at moment, let's wait for a few days more and see if it is corrected.

  Regards
  Nitin Saxena
    ----- Original Message ----- 
    From: Nilesh Kumar (India) 
    To: nitins at cybermedia.co.in ; abhay.bhargav at sisa.co.in 
    Cc: owasp-delhi at lists.owasp.org 
    Sent: Thursday, May 28, 2009 12:34 PM
    Subject: FW: [Owasp-delhi] Rediff Vulnerability


             Sorry, still not fixed completely. Even on main page itself it is restricting scripts in simple form .but not encoded ones. ;)

     Apart from this every second search module is suffering like Product search, Shopping, Matcmaker, Astrology, Jobs endless.

     Wherever is search module..high chance of vulnerability.

     

    Abhay, main page search engine might be executing only encoded ones, but search modules on other pages still happily executing normal scripts. J

     

    Just an eyewash J from Rediff.

     

    Thanks,

    Nilesh Kumar CEH ISMS LA

    Security Specialist

    Governance,Risk &  Compliance (GRC)
    ________________________________________________________________________ 

    Cell:+91-9891524880 


    SDG Software India Pvt. Ltd. 
    A-10, Sector 2,NOIDA 201301, (UP), INDIA 
    Website: www.sdgc.com 

    Please Note: The e-mail content is intended for the sole use of the intended recipient/s and may contain material that is CONFIDENTIAL AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or distribution or forwarding of any or all of the contents in this message is STRICTLY PROHIBITED. If you have erroneously received this message, please delete it immediately and notify the sender. Before opening any attachments please check them for viruses and defects.

     

    From: Nilesh Kumar (India) To: 'Nitin Saxena'; 'abhay.bhargav at sisa.co.in'
    Cc: owasp-delhi at lists.owasp.org
    Subject: RE: [Owasp-delhi] Rediff Vulnerability

     

    That's great!
    Sent: Thursday, May 28, 2009 11:00 AM


     

    Thanks a lot Nitin for your initiatives!

    It only led to getting mail from one Rediff Authority to me that issue will be solved soon, referring my report sent to them couple of months back. Now fixed.

     

    Abhay, good job done!

     

    Thanks,

    Nilesh Kumar CEH ISMS LA

    Security Specialist

    Governance,Risk &  Compliance (GRC)

    http://nileshkumar83.blogspot.com 
    ________________________________________________________________________ 

    Cell:+91-9891524880 


    SDG Software India Pvt. Ltd. 
    A-10, Sector 2,NOIDA 201301, (UP), INDIA 
    Website: www.sdgc.com 

    Please Note: The e-mail content is intended for the sole use of the intended recipient/s and may contain material that is CONFIDENTIAL AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or distribution or forwarding of any or all of the contents in this message is STRICTLY PROHIBITED. If you have erroneously received this message, please delete it immediately and notify the sender. Before opening any attachments please check them for viruses and defects.

     

    From: owasp-delhi-bounces at lists.owasp.org [mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of SISA Abhay Bhargav
    Sent: Wednesday, May 27, 2009 7:58 PM
    To: owasp-delhi at lists.owasp.org
    Subject: [Owasp-delhi] Rediff Vulnerability

     

    Hi All

     

    I am pleased to see that the Rediff Search XSS issue has been fixed. Although I reported the issue to Rediff, I would like to thank some members of OWASP Delhi for having taken the matter to a higher plane and reporting it to someone who has been proactive. 

     

    Unfortunately, several other Rediff sites are as vulnerable to XSS as ever. I will probably go ahead and report this issue as well. Hopefully it gets sorted out as quickly as the previous one. 

     

    Check it out: http://citadelnotes.blogspot.com

     

    Regards

    Abhay Bhargav

    CISSP, CPA, CISA, PCI QSA, OCTAVE Implementer



    SISA Information Security (P) Ltd| Ph 91 80 41153769| Fx 91 80 41153796

     

     

     

     

This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity
to which it is addressed. If the reader of this e-mail is not the intended
recipient or his or her authorized agent, the reader is hereby notified
that any dissemination, distribution or copying of this e-mail is
prohibited. If you have received this e-mail in error, please notify the
sender by replying to this message and delete this e-mail immediately.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090528/348bba21/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1875 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090528/348bba21/attachment-0001.jpe 


More information about the Owasp-delhi mailing list